/**
* Mapping suites to a set of algorithms
+ *
+ * The order represents the descending preference of cipher suites and follows
+ * this rule set:
+ *
+ * 1. TLS 1.3 > Legacy TLS
+ * 2. AES > CAMELLIA > NULL
+ * 3. AES256 > AES128
+ * 4. GCM > CBC
+ * 5. ECDHE > DHE > NULL
+ * 6. ECDSA > RSA
+ * 7. SHA384 > SHA256 > SHA1
+ *
*/
static suite_algs_t suite_algs[] = {
/* Cipher suites of TLS 1.3: key exchange and authentication
* delegated to extensions, therefore KEY_ANY, MODP_NONE, PRF_UNDEFINED */
- { TLS_AES_128_GCM_SHA256,
- KEY_ANY, MODP_NONE,
- HASH_SHA256, PRF_UNDEFINED,
- AUTH_HMAC_SHA2_256_256, ENCR_AES_GCM_ICV16, 16,
- TLS_1_3, TLS_1_3,
- },
{ TLS_AES_256_GCM_SHA384,
KEY_ANY, MODP_NONE,
HASH_SHA384, PRF_UNDEFINED,
AUTH_HMAC_SHA2_384_384, ENCR_AES_GCM_ICV16, 32,
TLS_1_3, TLS_1_3,
},
+ { TLS_AES_128_GCM_SHA256,
+ KEY_ANY, MODP_NONE,
+ HASH_SHA256, PRF_UNDEFINED,
+ AUTH_HMAC_SHA2_256_256, ENCR_AES_GCM_ICV16, 16,
+ TLS_1_3, TLS_1_3,
+ },
{ TLS_CHACHA20_POLY1305_SHA256,
KEY_ANY, MODP_NONE,
HASH_SHA256, PRF_UNDEFINED,
TLS_1_3, TLS_1_3,
},
/* Legacy TLS cipher suites */
- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
- KEY_ECDSA, ECP_256_BIT,
- HASH_SHA256, PRF_HMAC_SHA2_256,
- AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
- TLS_1_0, TLS_1_2,
+ { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ KEY_ECDSA, ECP_384_BIT,
+ HASH_SHA384, PRF_HMAC_SHA2_384,
+ AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
+ TLS_1_2, TLS_1_2,
},
- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
- KEY_ECDSA, ECP_256_BIT,
- HASH_SHA256, PRF_HMAC_SHA2_256,
- AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+ KEY_ECDSA, ECP_384_BIT,
+ HASH_SHA384, PRF_HMAC_SHA2_384,
+ AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
TLS_1_2, TLS_1_2,
},
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
TLS_1_0, TLS_1_2,
},
- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
- KEY_ECDSA, ECP_384_BIT,
- HASH_SHA384, PRF_HMAC_SHA2_384,
- AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
- TLS_1_2, TLS_1_2,
- },
{ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
KEY_ECDSA, ECP_256_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
TLS_1_2, TLS_1_2,
},
- { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
- KEY_ECDSA, ECP_384_BIT,
- HASH_SHA384, PRF_HMAC_SHA2_384,
- AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+ KEY_ECDSA, ECP_256_BIT,
+ HASH_SHA256, PRF_HMAC_SHA2_256,
+ AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
TLS_1_2, TLS_1_2,
},
- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
- KEY_RSA, ECP_256_BIT,
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+ KEY_ECDSA, ECP_256_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
TLS_1_0, TLS_1_2,
},
- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
- KEY_RSA, ECP_256_BIT,
- HASH_SHA256, PRF_HMAC_SHA2_256,
- AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
- TLS_1_2, TLS_1_2,
- },
- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
KEY_RSA, ECP_384_BIT,
- HASH_SHA256, PRF_HMAC_SHA2_256,
- AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
- TLS_1_0, TLS_1_2,
+ HASH_SHA384, PRF_HMAC_SHA2_384,
+ AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
+ TLS_1_2, TLS_1_2,
},
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
KEY_RSA, ECP_384_BIT,
AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32,
TLS_1_2, TLS_1_2,
},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+ KEY_RSA, ECP_384_BIT,
+ HASH_SHA256, PRF_HMAC_SHA2_256,
+ AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
+ TLS_1_0, TLS_1_2,
+ },
{ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
KEY_RSA, ECP_256_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
TLS_1_2, TLS_1_2,
},
- { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
- KEY_RSA, ECP_384_BIT,
- HASH_SHA384, PRF_HMAC_SHA2_384,
- AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+ KEY_RSA, ECP_256_BIT,
+ HASH_SHA256, PRF_HMAC_SHA2_256,
+ AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
TLS_1_2, TLS_1_2,
},
- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
- KEY_RSA, MODP_2048_BIT,
- HASH_SHA256,PRF_HMAC_SHA2_256,
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ KEY_RSA, ECP_256_BIT,
+ HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
- SSL_3_0, TLS_1_2,
+ TLS_1_0, TLS_1_2,
},
- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
- KEY_RSA, MODP_3072_BIT,
+ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+ KEY_RSA, MODP_4096_BIT,
+ HASH_SHA384, PRF_HMAC_SHA2_384,
+ AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
+ TLS_1_2, TLS_1_2,
+ },
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+ KEY_RSA, MODP_4096_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
- AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
+ AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
TLS_1_2, TLS_1_2,
},
{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
SSL_3_0, TLS_1_2,
},
- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
KEY_RSA, MODP_4096_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
- AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
+ AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
TLS_1_2, TLS_1_2,
},
+ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+ KEY_RSA, MODP_3072_BIT,
+ HASH_SHA256, PRF_HMAC_SHA2_256,
+ AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
+ SSL_3_0, TLS_1_2,
+ },
{ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
KEY_RSA, MODP_3072_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
TLS_1_2, TLS_1_2,
},
- { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
- KEY_RSA, MODP_4096_BIT,
- HASH_SHA384, PRF_HMAC_SHA2_384,
- AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+ KEY_RSA, MODP_3072_BIT,
+ HASH_SHA256, PRF_HMAC_SHA2_256,
+ AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
TLS_1_2, TLS_1_2,
},
- { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
KEY_RSA, MODP_2048_BIT,
- HASH_SHA256, PRF_HMAC_SHA2_256,
- AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
+ HASH_SHA256,PRF_HMAC_SHA2_256,
+ AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
SSL_3_0, TLS_1_2,
},
{ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
TLS_1_2, TLS_1_2,
},
- { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
- KEY_RSA, MODP_3072_BIT,
- HASH_SHA256, PRF_HMAC_SHA2_256,
- AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
- SSL_3_0, TLS_1_2,
- },
- { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
- KEY_RSA, MODP_4096_BIT,
- HASH_SHA256, PRF_HMAC_SHA2_256,
- AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
- TLS_1_2, TLS_1_2,
- },
- { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+ { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
KEY_RSA, MODP_2048_BIT,
HASH_SHA256, PRF_HMAC_SHA2_256,
- AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
+ AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
SSL_3_0, TLS_1_2,
},
- { TLS_RSA_WITH_AES_128_CBC_SHA,
+ { TLS_RSA_WITH_AES_256_GCM_SHA384,
KEY_RSA, MODP_NONE,
- HASH_SHA256, PRF_HMAC_SHA2_256,
- AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
- SSL_3_0, TLS_1_2,
+ HASH_SHA384, PRF_HMAC_SHA2_384,
+ AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
+ TLS_1_2, TLS_1_2,
},
- { TLS_RSA_WITH_AES_128_CBC_SHA256,
+ { TLS_RSA_WITH_AES_256_CBC_SHA256,
KEY_RSA, MODP_NONE,
HASH_SHA256, PRF_HMAC_SHA2_256,
- AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
+ AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
TLS_1_2, TLS_1_2,
},
{ TLS_RSA_WITH_AES_256_CBC_SHA,
AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32,
SSL_3_0, TLS_1_2,
},
- { TLS_RSA_WITH_AES_256_CBC_SHA256,
- KEY_RSA, MODP_NONE,
- HASH_SHA256, PRF_HMAC_SHA2_256,
- AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32,
- TLS_1_2, TLS_1_2,
- },
{ TLS_RSA_WITH_AES_128_GCM_SHA256,
KEY_RSA, MODP_NONE,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16,
TLS_1_2, TLS_1_2,
},
- { TLS_RSA_WITH_AES_256_GCM_SHA384,
+ { TLS_RSA_WITH_AES_128_CBC_SHA256,
KEY_RSA, MODP_NONE,
- HASH_SHA384, PRF_HMAC_SHA2_384,
- AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32,
+ HASH_SHA256, PRF_HMAC_SHA2_256,
+ AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16,
TLS_1_2, TLS_1_2,
},
- { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+ { TLS_RSA_WITH_AES_128_CBC_SHA,
KEY_RSA, MODP_NONE,
HASH_SHA256, PRF_HMAC_SHA2_256,
- AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
+ AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16,
SSL_3_0, TLS_1_2,
},
- { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+ { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
KEY_RSA, MODP_NONE,
HASH_SHA256, PRF_HMAC_SHA2_256,
- AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
+ AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
TLS_1_2, TLS_1_2,
},
{ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32,
SSL_3_0, TLS_1_2,
},
- { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+ { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
KEY_RSA, MODP_NONE,
HASH_SHA256, PRF_HMAC_SHA2_256,
- AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32,
+ AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16,
TLS_1_2, TLS_1_2,
},
- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
- KEY_ECDSA, ECP_256_BIT,
- HASH_SHA256, PRF_HMAC_SHA2_256,
- AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
- TLS_1_0, TLS_1_2,
- },
- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
- KEY_RSA, ECP_256_BIT,
- HASH_SHA256, PRF_HMAC_SHA2_256,
- AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
- TLS_1_0, TLS_1_2,
- },
- { TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+ { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
KEY_RSA, MODP_NONE,
HASH_SHA256, PRF_HMAC_SHA2_256,
- AUTH_HMAC_SHA1_160, ENCR_3DES, 0,
+ AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16,
SSL_3_0, TLS_1_2,
},
{ TLS_ECDHE_ECDSA_WITH_NULL_SHA,
AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
TLS_1_0, TLS_1_2,
},
- { TLS_RSA_WITH_NULL_SHA,
- KEY_RSA, MODP_NONE,
- HASH_SHA256, PRF_HMAC_SHA2_256,
- AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
- SSL_3_0, TLS_1_2,
- },
{ TLS_RSA_WITH_NULL_SHA256,
KEY_RSA, MODP_NONE,
HASH_SHA256, PRF_HMAC_SHA2_256,
AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0,
TLS_1_2, TLS_1_2,
},
- { TLS_RSA_WITH_NULL_MD5,
+ { TLS_RSA_WITH_NULL_SHA,
KEY_RSA, MODP_NONE,
HASH_SHA256, PRF_HMAC_SHA2_256,
- AUTH_HMAC_MD5_128, ENCR_NULL, 0,
- SSL_2_0, TLS_1_2,
+ AUTH_HMAC_SHA1_160, ENCR_NULL, 0,
+ SSL_3_0, TLS_1_2,
},
};
suites[remaining++] = suites[i];
break;
}
- if (strcaseeq(token, "3des") &&
- suites[i].encr == ENCR_3DES)
- {
- suites[remaining++] = suites[i];
- break;
- }
if (strcaseeq(token, "null") &&
suites[i].encr == ENCR_NULL)
{
enumerator = enumerator_create_token(config, ",", " ");
while (enumerator->enumerate(enumerator, &token))
{
- if (strcaseeq(token, "md5") &&
- suites[i].mac == AUTH_HMAC_MD5_128)
- {
- suites[remaining++] = suites[i];
- break;
- }
if (strcaseeq(token, "sha1") &&
suites[i].mac == AUTH_HMAC_SHA1_160)
{
projects / thirdparty / strongswan.git / commitdiff
